Analysis Overview
SHA256
f5b891ae8f3281790e3b0090a1194368806795e7040877bc527c75f4e78bb59f
Threat Level: Known bad
The file 2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Detects Reflective DLL injection artifacts
xmrig
Cobaltstrike
Xmrig family
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
Cobaltstrike family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-22 21:03
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 21:03
Reported
2024-05-22 21:05
Platform
win7-20240221-en
Max time kernel
143s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\rlrcCNs.exe | N/A |
| N/A | N/A | C:\Windows\System\npiwHQJ.exe | N/A |
| N/A | N/A | C:\Windows\System\AwVHFPX.exe | N/A |
| N/A | N/A | C:\Windows\System\MNbcIJN.exe | N/A |
| N/A | N/A | C:\Windows\System\oClRLGC.exe | N/A |
| N/A | N/A | C:\Windows\System\yJKWIkV.exe | N/A |
| N/A | N/A | C:\Windows\System\tmdCzJE.exe | N/A |
| N/A | N/A | C:\Windows\System\tJhAHfZ.exe | N/A |
| N/A | N/A | C:\Windows\System\hahnrgn.exe | N/A |
| N/A | N/A | C:\Windows\System\dxwneza.exe | N/A |
| N/A | N/A | C:\Windows\System\kEUivoc.exe | N/A |
| N/A | N/A | C:\Windows\System\VcYLhtl.exe | N/A |
| N/A | N/A | C:\Windows\System\uMWjaLQ.exe | N/A |
| N/A | N/A | C:\Windows\System\iKTzwDD.exe | N/A |
| N/A | N/A | C:\Windows\System\hVGPoxi.exe | N/A |
| N/A | N/A | C:\Windows\System\CWgBBkV.exe | N/A |
| N/A | N/A | C:\Windows\System\JIEOtbi.exe | N/A |
| N/A | N/A | C:\Windows\System\bHkFBHY.exe | N/A |
| N/A | N/A | C:\Windows\System\vKxvEGR.exe | N/A |
| N/A | N/A | C:\Windows\System\oOLyCQi.exe | N/A |
| N/A | N/A | C:\Windows\System\RdqWwXi.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\rlrcCNs.exe
C:\Windows\System\rlrcCNs.exe
C:\Windows\System\npiwHQJ.exe
C:\Windows\System\npiwHQJ.exe
C:\Windows\System\AwVHFPX.exe
C:\Windows\System\AwVHFPX.exe
C:\Windows\System\oClRLGC.exe
C:\Windows\System\oClRLGC.exe
C:\Windows\System\MNbcIJN.exe
C:\Windows\System\MNbcIJN.exe
C:\Windows\System\yJKWIkV.exe
C:\Windows\System\yJKWIkV.exe
C:\Windows\System\tmdCzJE.exe
C:\Windows\System\tmdCzJE.exe
C:\Windows\System\tJhAHfZ.exe
C:\Windows\System\tJhAHfZ.exe
C:\Windows\System\hahnrgn.exe
C:\Windows\System\hahnrgn.exe
C:\Windows\System\dxwneza.exe
C:\Windows\System\dxwneza.exe
C:\Windows\System\kEUivoc.exe
C:\Windows\System\kEUivoc.exe
C:\Windows\System\VcYLhtl.exe
C:\Windows\System\VcYLhtl.exe
C:\Windows\System\uMWjaLQ.exe
C:\Windows\System\uMWjaLQ.exe
C:\Windows\System\iKTzwDD.exe
C:\Windows\System\iKTzwDD.exe
C:\Windows\System\hVGPoxi.exe
C:\Windows\System\hVGPoxi.exe
C:\Windows\System\CWgBBkV.exe
C:\Windows\System\CWgBBkV.exe
C:\Windows\System\JIEOtbi.exe
C:\Windows\System\JIEOtbi.exe
C:\Windows\System\bHkFBHY.exe
C:\Windows\System\bHkFBHY.exe
C:\Windows\System\vKxvEGR.exe
C:\Windows\System\vKxvEGR.exe
C:\Windows\System\oOLyCQi.exe
C:\Windows\System\oOLyCQi.exe
C:\Windows\System\RdqWwXi.exe
C:\Windows\System\RdqWwXi.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2000-0-0x000000013F440000-0x000000013F791000-memory.dmp
memory/2000-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\rlrcCNs.exe
| MD5 | c68a50e0a897cc2c63c63a9297f49583 |
| SHA1 | b7664e57a3cd3bc58950b9a56140e722ba776210 |
| SHA256 | 10fe6c2a25661bf2a579ae256ae3cd70133c4af63059d77a4b1cfb249ab44eb5 |
| SHA512 | ee0c1b805bef065482bed07613be709d6d042032cfd60dbbee5d3fe63985a842010a2c912fabc10533e2b800d05b04e7f77dfccc4b06502cccc2700441340ab5 |
memory/2784-9-0x000000013F660000-0x000000013F9B1000-memory.dmp
\Windows\system\npiwHQJ.exe
| MD5 | c66fa88bcff11fafaf128d479e096c52 |
| SHA1 | 0e07486d4fa0b391e43b5759ce685e2c08aeba74 |
| SHA256 | 2949c59f535cf9e527b55ece1a99f1b3bbb40d9c49ae3e4afaaffa85dea54cb5 |
| SHA512 | 8bc101642ff21f877f69932eb1e75850f8398e5f66d45da977df76823ef568c5cc073bf1d47777a22962f8ca421e25b88fd5101a667a8927f897a39be1779426 |
C:\Windows\system\AwVHFPX.exe
| MD5 | a574db9a770c91ce109a6bc99ee8c1f1 |
| SHA1 | 05f16baecea4b66d5d5df8683d84d4e06242d63f |
| SHA256 | 0068be446b3d8cd4ac34a064876de82234e71375b8934d0ac144e184ae19cd89 |
| SHA512 | 6787a9a1d79d5c573726cb4d7419a487571d8ad6976188c7535ee0de57b6c5e3490984992647c367882105ff33df224e3d8c435b60d4083ff722a81c22ba5c29 |
memory/2000-8-0x00000000022D0000-0x0000000002621000-memory.dmp
memory/2976-15-0x000000013FE30000-0x0000000140181000-memory.dmp
\Windows\system\oClRLGC.exe
| MD5 | 23ad2b4936a3397e834aec6b6764ba6b |
| SHA1 | c72f6db259a50c637fcc865e2252c88e590738c0 |
| SHA256 | 53071b73eac629e8d87b5b2156178b34ab084a0e8e571f214e2c23005a3ec084 |
| SHA512 | ee1ab822c8abaabfa779e65d87adeba8e5d16bfb56d037bef30ac923143631881a65a42c27c5c9a7309cdf593102a56c6e1ca110a45fc19cc025269fc1cfaa3b |
memory/2636-35-0x000000013F570000-0x000000013F8C1000-memory.dmp
memory/2516-34-0x000000013FD60000-0x00000001400B1000-memory.dmp
C:\Windows\system\yJKWIkV.exe
| MD5 | cd44357152911c33dc86683e2c9407fd |
| SHA1 | be704c030904eb5ace88d375a99b5febc1a8b1fd |
| SHA256 | eb77c138b90fb7b52f6381d07fbc3204a077c1582f02e34cbc54253dd4bcdf83 |
| SHA512 | 345cd9c96f80ebf72b3603ddc38a2dbcf04421d2c9cedd13338c489be716a2b5c1dfb158d1124d0d0cd1616935cdd938fecc555288dc7020566a044a7bfb2c10 |
C:\Windows\system\tJhAHfZ.exe
| MD5 | 094b8cd4d8c52799029ec4873411b901 |
| SHA1 | 13a20faf0fdebe61b9fd56ba3960c1f1c3f9ece3 |
| SHA256 | 4aa9d8b3dc761e805657a47befbb30f65524d84f66ba92ef51b76c077aaa49ed |
| SHA512 | 24066795fc07b23f9b9f4048affc3f573c62c4fa77b2f84078341445e213e17f58d7d4db0b105246e622872820c769d41bab5448fc4c66460306597caa1dad65 |
memory/1904-63-0x000000013FEC0000-0x0000000140211000-memory.dmp
C:\Windows\system\kEUivoc.exe
| MD5 | e30c10f817d419a9e57a4ff0ccc142a8 |
| SHA1 | c163733e3200202d7935c70b35775a80b1eb126b |
| SHA256 | b61737de690ffd57657fae2716cc552ccf0e99e5856a1d30ea2e7578455c52ad |
| SHA512 | d36034ca8f6804f64c9b80466d49046ba94e16d25038732a239d37dc1b8ad093247b1df880e93846f51cc87b98bcd3c82d50c4f77fb667c4330313cbf02cf753 |
memory/1360-76-0x000000013F5D0000-0x000000013F921000-memory.dmp
memory/2556-91-0x000000013F5A0000-0x000000013F8F1000-memory.dmp
\Windows\system\iKTzwDD.exe
| MD5 | c08370082975b5519f98fbbe6831e055 |
| SHA1 | 351342be9024a3bc66961b5c1b789245d44ae976 |
| SHA256 | 8f6955c96b5d6e0037a6784786c37e63d112349a1a486601d6890a45e7de3692 |
| SHA512 | 2d0581ce2294f82e87549deaf1faca66804f79933902778d43a6e9038b943e309af1d37050562dece1f45296239a430f4c844956b36cbb384f018ff27f547db1 |
memory/1800-98-0x000000013F090000-0x000000013F3E1000-memory.dmp
C:\Windows\system\CWgBBkV.exe
| MD5 | ca47a24747cf73bd8c9ee4bb01f25fdd |
| SHA1 | ebe7d5ec45ba7dccce48521b1926a93127295909 |
| SHA256 | 4602958744bfa7070701f7f56fe19cb1446c908648b2f075d194628093a2a42f |
| SHA512 | fbb1badde4cbd1de822451520b47f470f6302c3cbb471ed1650bb2fbda928f3f3176be2a6f419350592a05bb9d61cc576471b9db6450a46ed55b56e7e5290230 |
C:\Windows\system\oOLyCQi.exe
| MD5 | 5e1718309f5911c1ac88e32141d2915c |
| SHA1 | 82720551fd43be9d9582b913ae482ed7d4ae9817 |
| SHA256 | 87e53b0a5b583b022faefe04de86247be4b1f6a4850a34250632d985d724da66 |
| SHA512 | 241c203632d63957d94a18d608a51918e0f850593d7ab8afb44865c6f183485e21d877e74a86debe91e02d259639ef2faa232f6e995b3b47fb9c55c8a8728d87 |
C:\Windows\system\RdqWwXi.exe
| MD5 | 551feb8a00c4136cb453095ebe4fd9f3 |
| SHA1 | 8114dd338dd164cc79f8848a33e8d7ee55d9b7f0 |
| SHA256 | 8ec7e64994e7fd1dab08ae07a1c9bb1afcae2d5d599448f406df3413acf22357 |
| SHA512 | 02fb3233aa9e80ed85ba693306b4681a2be9d7a79c10770b399fc1b041561d41ea70c9424302ff06c9acaaadf3426c40a6624f4c09b798e00e156c79f7dfaf24 |
C:\Windows\system\vKxvEGR.exe
| MD5 | 3f45937c2b99db5f7e11238bfc09df13 |
| SHA1 | 89150d0c683cfc6350377de45fb1593e10c99bbc |
| SHA256 | 3f88f87d486b4fb229d30d93ca24db9d52e422f31e615b582dca788fb60556d1 |
| SHA512 | 31de88b0f3569d358ad4e4ade340b2619ea8ebd533fe9710964f9f4f028a0cbc4887bef46290a974ac351d609d3d06123d99de48c5914ff313a8c069f2712749 |
C:\Windows\system\bHkFBHY.exe
| MD5 | a276916279ead9e659f7d387943440ac |
| SHA1 | 6a0e70b354f028d3ac7994e5dbd52efc40bdeaaf |
| SHA256 | 824ca288c0bf57dce875b1b3392a7bd91c26607bdbe61925fdf19e34ea74c18f |
| SHA512 | 73686f594e8cf41e88a528641fe40680ba3512d22c743fbc457abf5a9a09d7f62609a59008142830e007adb4a0ef95058a50038c679a1e4bed69092dec86f15e |
C:\Windows\system\JIEOtbi.exe
| MD5 | 971ff64b0fcdd29d5b37a4198201d98c |
| SHA1 | 7087499da5e17ced66c32ea9b7a228f82649f3a5 |
| SHA256 | 5d88c6c9a14ee11cf101287f1994f6771348394792164b9fc5e37024bd1c46e4 |
| SHA512 | 97e3454750bc877665e737673aa85399c0d6416b59ec70e0b93b9b91e77e42254403707b8c3de781e8cbcc8981927f85614c6a93d4e7a2a3da9dd3053f7ee4e1 |
memory/2000-104-0x00000000022D0000-0x0000000002621000-memory.dmp
memory/2596-103-0x000000013FFC0000-0x0000000140311000-memory.dmp
memory/2000-102-0x000000013FFC0000-0x0000000140311000-memory.dmp
memory/2516-97-0x000000013FD60000-0x00000001400B1000-memory.dmp
C:\Windows\system\hVGPoxi.exe
| MD5 | d1cd782d694a8d035f6df2cc6f83e10f |
| SHA1 | 15e1e2decf18769214514ece837d740cd9ea36a9 |
| SHA256 | d9eb2f38839dd6daf6bb514d640bf4b915f99ff7f57dbfff39f0fe7f41da3659 |
| SHA512 | 74d31140dd103cc3ed30a06122fb2191059459d0c46c7a3fe905a159fae12b6e6bf5dfcac12f185c607b8fdd4287b10452b4705aca9567f3e8293ece0668c22c |
memory/2000-90-0x00000000022D0000-0x0000000002621000-memory.dmp
C:\Windows\system\uMWjaLQ.exe
| MD5 | 3d867a878a6d7f6a3e7531858ae2fbba |
| SHA1 | 831689fa7971dd0c6f8ea3c2b9bd7277204f7a6f |
| SHA256 | 668edf4dd18064a0a0e531ed6ecb05a687a1a66f5b9a6b881462521612e5853c |
| SHA512 | db00799cf0d3f4f6751dc21d959ae68480f9b87f5a1c7475f733cedcfe71a8551f99e5a294ea7426e9645daf41cb635f4a79e7b6df9d9541eba84e230ad7a848 |
memory/2672-84-0x000000013FAB0000-0x000000013FE01000-memory.dmp
memory/2000-83-0x000000013FAB0000-0x000000013FE01000-memory.dmp
memory/2976-82-0x000000013FE30000-0x0000000140181000-memory.dmp
C:\Windows\system\VcYLhtl.exe
| MD5 | f52641e2abf962a63038fbc6196d7004 |
| SHA1 | 6deb0b6ab7353bba11a8e01e9d8880dc70db4584 |
| SHA256 | ad25f8fe14b40bceb8da76c65e82ad6f387fc183b50a1dc18e25c52ab31d6716 |
| SHA512 | 3799f9d95d017d751697ceb9890e7147792a66168d8cd7f51ebdc500c6927c35e1005c2c2c4aa48d6c36d8794dd1568fa1e0fe6ec862264b80fec6ffbff9c0b3 |
memory/1580-70-0x000000013F230000-0x000000013F581000-memory.dmp
memory/2000-69-0x000000013F440000-0x000000013F791000-memory.dmp
C:\Windows\system\dxwneza.exe
| MD5 | 2fa3c0db1449c1f6af2a19d6e3fd44e1 |
| SHA1 | ab29eb1555d3f05df9daa7763914ef8966f8d05e |
| SHA256 | 7320f55a223301ac17de3a747452ee18463c9205a0d8c17666caf6c4101df1ba |
| SHA512 | af8cab6303685aef45f52c29aea18743bbb9476628d69f3acda272ccebd9291d4d9daf903fd4a37951d79177306e6163f9947870cd2550554d17f6dac2908c8d |
memory/2000-62-0x000000013FEC0000-0x0000000140211000-memory.dmp
C:\Windows\system\hahnrgn.exe
| MD5 | d311ca33e1888aa854e594b22ed8a3be |
| SHA1 | 6b960aed0c17c2ba469029b9a1e464f5cba5b6f7 |
| SHA256 | fec68641ee15f35a0f2e83293f35149fb9a0dbb1b7fdbfc00b3438557fb54033 |
| SHA512 | 7a3deb886bf7bc8432cb221eace016577600e2769cd84c236f3d3260b86a83aff2236f8117feaae6c9efff9c093528f49c1ce3988c38a68764d579e71bacd60c |
memory/2128-56-0x000000013F9A0000-0x000000013FCF1000-memory.dmp
memory/2000-55-0x000000013F9A0000-0x000000013FCF1000-memory.dmp
memory/2928-49-0x000000013FCE0000-0x0000000140031000-memory.dmp
memory/2000-48-0x000000013FCE0000-0x0000000140031000-memory.dmp
C:\Windows\system\tmdCzJE.exe
| MD5 | 7fd30628914668e17f269f1d1dbdac19 |
| SHA1 | 3476aacec4b3dc721fb1f4f894963149d0f91e85 |
| SHA256 | 941618d5537d132caac0d4607cef118fd39eb17789f6e8ab9ef3ed1c0f9a7436 |
| SHA512 | 374b6012839bb9dc88c6635242b0b63173265295f52fbaca5782f8bad4aa08b6a57fdae3d63e1590a4583618673ff858e71a42b37fee5d027ffbe7f7a4d2daa1 |
memory/2596-39-0x000000013FFC0000-0x0000000140311000-memory.dmp
C:\Windows\system\MNbcIJN.exe
| MD5 | ef9b862b3b3b57d7cc1d2a0b5c4e31aa |
| SHA1 | 41f48e9eacc018d07c7607641cc3bbce559109bd |
| SHA256 | a29c9e897f6aebde17a0c3aa734fef907d2b6b7152512677547f720fd5b02b90 |
| SHA512 | 3688a4c5523832b92f1323eac742176d62de21086ed8b24a56cdd405195937820de52173c3d45b3fb2d762137a73d4f2bd47f971f4626da1e3452b46197f2212 |
memory/2000-30-0x000000013FD60000-0x00000001400B1000-memory.dmp
memory/2000-29-0x00000000022D0000-0x0000000002621000-memory.dmp
memory/2584-28-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/2000-14-0x000000013FE30000-0x0000000140181000-memory.dmp
memory/2000-136-0x000000013F440000-0x000000013F791000-memory.dmp
memory/1600-154-0x000000013FC50000-0x000000013FFA1000-memory.dmp
memory/2000-158-0x00000000022D0000-0x0000000002621000-memory.dmp
memory/336-156-0x000000013F7E0000-0x000000013FB31000-memory.dmp
memory/1424-155-0x000000013F400000-0x000000013F751000-memory.dmp
memory/2164-153-0x000000013FC20000-0x000000013FF71000-memory.dmp
memory/1732-152-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/1516-151-0x000000013F5D0000-0x000000013F921000-memory.dmp
memory/780-157-0x000000013F170000-0x000000013F4C1000-memory.dmp
memory/2000-159-0x000000013FAB0000-0x000000013FE01000-memory.dmp
memory/2000-160-0x000000013F440000-0x000000013F791000-memory.dmp
memory/2000-173-0x000000013F090000-0x000000013F3E1000-memory.dmp
memory/2784-213-0x000000013F660000-0x000000013F9B1000-memory.dmp
memory/2976-215-0x000000013FE30000-0x0000000140181000-memory.dmp
memory/2584-217-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/2636-219-0x000000013F570000-0x000000013F8C1000-memory.dmp
memory/2596-221-0x000000013FFC0000-0x0000000140311000-memory.dmp
memory/2516-223-0x000000013FD60000-0x00000001400B1000-memory.dmp
memory/2928-225-0x000000013FCE0000-0x0000000140031000-memory.dmp
memory/2128-227-0x000000013F9A0000-0x000000013FCF1000-memory.dmp
memory/1904-229-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/1580-231-0x000000013F230000-0x000000013F581000-memory.dmp
memory/1360-233-0x000000013F5D0000-0x000000013F921000-memory.dmp
memory/2672-235-0x000000013FAB0000-0x000000013FE01000-memory.dmp
memory/2556-237-0x000000013F5A0000-0x000000013F8F1000-memory.dmp
memory/1800-239-0x000000013F090000-0x000000013F3E1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-22 21:03
Reported
2024-05-22 21:05
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\rlrcCNs.exe | N/A |
| N/A | N/A | C:\Windows\System\npiwHQJ.exe | N/A |
| N/A | N/A | C:\Windows\System\AwVHFPX.exe | N/A |
| N/A | N/A | C:\Windows\System\oClRLGC.exe | N/A |
| N/A | N/A | C:\Windows\System\MNbcIJN.exe | N/A |
| N/A | N/A | C:\Windows\System\yJKWIkV.exe | N/A |
| N/A | N/A | C:\Windows\System\tmdCzJE.exe | N/A |
| N/A | N/A | C:\Windows\System\tJhAHfZ.exe | N/A |
| N/A | N/A | C:\Windows\System\hahnrgn.exe | N/A |
| N/A | N/A | C:\Windows\System\dxwneza.exe | N/A |
| N/A | N/A | C:\Windows\System\kEUivoc.exe | N/A |
| N/A | N/A | C:\Windows\System\VcYLhtl.exe | N/A |
| N/A | N/A | C:\Windows\System\uMWjaLQ.exe | N/A |
| N/A | N/A | C:\Windows\System\iKTzwDD.exe | N/A |
| N/A | N/A | C:\Windows\System\hVGPoxi.exe | N/A |
| N/A | N/A | C:\Windows\System\CWgBBkV.exe | N/A |
| N/A | N/A | C:\Windows\System\JIEOtbi.exe | N/A |
| N/A | N/A | C:\Windows\System\bHkFBHY.exe | N/A |
| N/A | N/A | C:\Windows\System\vKxvEGR.exe | N/A |
| N/A | N/A | C:\Windows\System\oOLyCQi.exe | N/A |
| N/A | N/A | C:\Windows\System\RdqWwXi.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-22_c5e3f5b300bd3e7060f6daf6e0b894d0_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\rlrcCNs.exe
C:\Windows\System\rlrcCNs.exe
C:\Windows\System\npiwHQJ.exe
C:\Windows\System\npiwHQJ.exe
C:\Windows\System\AwVHFPX.exe
C:\Windows\System\AwVHFPX.exe
C:\Windows\System\oClRLGC.exe
C:\Windows\System\oClRLGC.exe
C:\Windows\System\MNbcIJN.exe
C:\Windows\System\MNbcIJN.exe
C:\Windows\System\yJKWIkV.exe
C:\Windows\System\yJKWIkV.exe
C:\Windows\System\tmdCzJE.exe
C:\Windows\System\tmdCzJE.exe
C:\Windows\System\tJhAHfZ.exe
C:\Windows\System\tJhAHfZ.exe
C:\Windows\System\hahnrgn.exe
C:\Windows\System\hahnrgn.exe
C:\Windows\System\dxwneza.exe
C:\Windows\System\dxwneza.exe
C:\Windows\System\kEUivoc.exe
C:\Windows\System\kEUivoc.exe
C:\Windows\System\VcYLhtl.exe
C:\Windows\System\VcYLhtl.exe
C:\Windows\System\uMWjaLQ.exe
C:\Windows\System\uMWjaLQ.exe
C:\Windows\System\iKTzwDD.exe
C:\Windows\System\iKTzwDD.exe
C:\Windows\System\hVGPoxi.exe
C:\Windows\System\hVGPoxi.exe
C:\Windows\System\CWgBBkV.exe
C:\Windows\System\CWgBBkV.exe
C:\Windows\System\JIEOtbi.exe
C:\Windows\System\JIEOtbi.exe
C:\Windows\System\bHkFBHY.exe
C:\Windows\System\bHkFBHY.exe
C:\Windows\System\vKxvEGR.exe
C:\Windows\System\vKxvEGR.exe
C:\Windows\System\oOLyCQi.exe
C:\Windows\System\oOLyCQi.exe
C:\Windows\System\RdqWwXi.exe
C:\Windows\System\RdqWwXi.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4172-0-0x00007FF6FAF00000-0x00007FF6FB251000-memory.dmp
memory/4172-1-0x00000147F9460000-0x00000147F9470000-memory.dmp
C:\Windows\System\rlrcCNs.exe
| MD5 | c68a50e0a897cc2c63c63a9297f49583 |
| SHA1 | b7664e57a3cd3bc58950b9a56140e722ba776210 |
| SHA256 | 10fe6c2a25661bf2a579ae256ae3cd70133c4af63059d77a4b1cfb249ab44eb5 |
| SHA512 | ee0c1b805bef065482bed07613be709d6d042032cfd60dbbee5d3fe63985a842010a2c912fabc10533e2b800d05b04e7f77dfccc4b06502cccc2700441340ab5 |
C:\Windows\System\AwVHFPX.exe
| MD5 | a574db9a770c91ce109a6bc99ee8c1f1 |
| SHA1 | 05f16baecea4b66d5d5df8683d84d4e06242d63f |
| SHA256 | 0068be446b3d8cd4ac34a064876de82234e71375b8934d0ac144e184ae19cd89 |
| SHA512 | 6787a9a1d79d5c573726cb4d7419a487571d8ad6976188c7535ee0de57b6c5e3490984992647c367882105ff33df224e3d8c435b60d4083ff722a81c22ba5c29 |
C:\Windows\System\npiwHQJ.exe
| MD5 | c66fa88bcff11fafaf128d479e096c52 |
| SHA1 | 0e07486d4fa0b391e43b5759ce685e2c08aeba74 |
| SHA256 | 2949c59f535cf9e527b55ece1a99f1b3bbb40d9c49ae3e4afaaffa85dea54cb5 |
| SHA512 | 8bc101642ff21f877f69932eb1e75850f8398e5f66d45da977df76823ef568c5cc073bf1d47777a22962f8ca421e25b88fd5101a667a8927f897a39be1779426 |
memory/2464-12-0x00007FF7AEAD0000-0x00007FF7AEE21000-memory.dmp
memory/1788-15-0x00007FF7D4470000-0x00007FF7D47C1000-memory.dmp
C:\Windows\System\oClRLGC.exe
| MD5 | 23ad2b4936a3397e834aec6b6764ba6b |
| SHA1 | c72f6db259a50c637fcc865e2252c88e590738c0 |
| SHA256 | 53071b73eac629e8d87b5b2156178b34ab084a0e8e571f214e2c23005a3ec084 |
| SHA512 | ee1ab822c8abaabfa779e65d87adeba8e5d16bfb56d037bef30ac923143631881a65a42c27c5c9a7309cdf593102a56c6e1ca110a45fc19cc025269fc1cfaa3b |
memory/3872-24-0x00007FF63AB00000-0x00007FF63AE51000-memory.dmp
memory/3396-18-0x00007FF658BC0000-0x00007FF658F11000-memory.dmp
C:\Windows\System\MNbcIJN.exe
| MD5 | ef9b862b3b3b57d7cc1d2a0b5c4e31aa |
| SHA1 | 41f48e9eacc018d07c7607641cc3bbce559109bd |
| SHA256 | a29c9e897f6aebde17a0c3aa734fef907d2b6b7152512677547f720fd5b02b90 |
| SHA512 | 3688a4c5523832b92f1323eac742176d62de21086ed8b24a56cdd405195937820de52173c3d45b3fb2d762137a73d4f2bd47f971f4626da1e3452b46197f2212 |
memory/3516-30-0x00007FF673160000-0x00007FF6734B1000-memory.dmp
C:\Windows\System\yJKWIkV.exe
| MD5 | cd44357152911c33dc86683e2c9407fd |
| SHA1 | be704c030904eb5ace88d375a99b5febc1a8b1fd |
| SHA256 | eb77c138b90fb7b52f6381d07fbc3204a077c1582f02e34cbc54253dd4bcdf83 |
| SHA512 | 345cd9c96f80ebf72b3603ddc38a2dbcf04421d2c9cedd13338c489be716a2b5c1dfb158d1124d0d0cd1616935cdd938fecc555288dc7020566a044a7bfb2c10 |
memory/2744-37-0x00007FF703A10000-0x00007FF703D61000-memory.dmp
C:\Windows\System\tmdCzJE.exe
| MD5 | 7fd30628914668e17f269f1d1dbdac19 |
| SHA1 | 3476aacec4b3dc721fb1f4f894963149d0f91e85 |
| SHA256 | 941618d5537d132caac0d4607cef118fd39eb17789f6e8ab9ef3ed1c0f9a7436 |
| SHA512 | 374b6012839bb9dc88c6635242b0b63173265295f52fbaca5782f8bad4aa08b6a57fdae3d63e1590a4583618673ff858e71a42b37fee5d027ffbe7f7a4d2daa1 |
C:\Windows\System\tJhAHfZ.exe
| MD5 | 094b8cd4d8c52799029ec4873411b901 |
| SHA1 | 13a20faf0fdebe61b9fd56ba3960c1f1c3f9ece3 |
| SHA256 | 4aa9d8b3dc761e805657a47befbb30f65524d84f66ba92ef51b76c077aaa49ed |
| SHA512 | 24066795fc07b23f9b9f4048affc3f573c62c4fa77b2f84078341445e213e17f58d7d4db0b105246e622872820c769d41bab5448fc4c66460306597caa1dad65 |
C:\Windows\System\dxwneza.exe
| MD5 | 2fa3c0db1449c1f6af2a19d6e3fd44e1 |
| SHA1 | ab29eb1555d3f05df9daa7763914ef8966f8d05e |
| SHA256 | 7320f55a223301ac17de3a747452ee18463c9205a0d8c17666caf6c4101df1ba |
| SHA512 | af8cab6303685aef45f52c29aea18743bbb9476628d69f3acda272ccebd9291d4d9daf903fd4a37951d79177306e6163f9947870cd2550554d17f6dac2908c8d |
memory/4864-60-0x00007FF706430000-0x00007FF706781000-memory.dmp
memory/4344-59-0x00007FF792F50000-0x00007FF7932A1000-memory.dmp
C:\Windows\System\VcYLhtl.exe
| MD5 | f52641e2abf962a63038fbc6196d7004 |
| SHA1 | 6deb0b6ab7353bba11a8e01e9d8880dc70db4584 |
| SHA256 | ad25f8fe14b40bceb8da76c65e82ad6f387fc183b50a1dc18e25c52ab31d6716 |
| SHA512 | 3799f9d95d017d751697ceb9890e7147792a66168d8cd7f51ebdc500c6927c35e1005c2c2c4aa48d6c36d8794dd1568fa1e0fe6ec862264b80fec6ffbff9c0b3 |
memory/2160-81-0x00007FF637840000-0x00007FF637B91000-memory.dmp
C:\Windows\System\JIEOtbi.exe
| MD5 | 971ff64b0fcdd29d5b37a4198201d98c |
| SHA1 | 7087499da5e17ced66c32ea9b7a228f82649f3a5 |
| SHA256 | 5d88c6c9a14ee11cf101287f1994f6771348394792164b9fc5e37024bd1c46e4 |
| SHA512 | 97e3454750bc877665e737673aa85399c0d6416b59ec70e0b93b9b91e77e42254403707b8c3de781e8cbcc8981927f85614c6a93d4e7a2a3da9dd3053f7ee4e1 |
C:\Windows\System\vKxvEGR.exe
| MD5 | 3f45937c2b99db5f7e11238bfc09df13 |
| SHA1 | 89150d0c683cfc6350377de45fb1593e10c99bbc |
| SHA256 | 3f88f87d486b4fb229d30d93ca24db9d52e422f31e615b582dca788fb60556d1 |
| SHA512 | 31de88b0f3569d358ad4e4ade340b2619ea8ebd533fe9710964f9f4f028a0cbc4887bef46290a974ac351d609d3d06123d99de48c5914ff313a8c069f2712749 |
C:\Windows\System\RdqWwXi.exe
| MD5 | 551feb8a00c4136cb453095ebe4fd9f3 |
| SHA1 | 8114dd338dd164cc79f8848a33e8d7ee55d9b7f0 |
| SHA256 | 8ec7e64994e7fd1dab08ae07a1c9bb1afcae2d5d599448f406df3413acf22357 |
| SHA512 | 02fb3233aa9e80ed85ba693306b4681a2be9d7a79c10770b399fc1b041561d41ea70c9424302ff06c9acaaadf3426c40a6624f4c09b798e00e156c79f7dfaf24 |
C:\Windows\System\oOLyCQi.exe
| MD5 | 5e1718309f5911c1ac88e32141d2915c |
| SHA1 | 82720551fd43be9d9582b913ae482ed7d4ae9817 |
| SHA256 | 87e53b0a5b583b022faefe04de86247be4b1f6a4850a34250632d985d724da66 |
| SHA512 | 241c203632d63957d94a18d608a51918e0f850593d7ab8afb44865c6f183485e21d877e74a86debe91e02d259639ef2faa232f6e995b3b47fb9c55c8a8728d87 |
C:\Windows\System\bHkFBHY.exe
| MD5 | a276916279ead9e659f7d387943440ac |
| SHA1 | 6a0e70b354f028d3ac7994e5dbd52efc40bdeaaf |
| SHA256 | 824ca288c0bf57dce875b1b3392a7bd91c26607bdbe61925fdf19e34ea74c18f |
| SHA512 | 73686f594e8cf41e88a528641fe40680ba3512d22c743fbc457abf5a9a09d7f62609a59008142830e007adb4a0ef95058a50038c679a1e4bed69092dec86f15e |
C:\Windows\System\CWgBBkV.exe
| MD5 | ca47a24747cf73bd8c9ee4bb01f25fdd |
| SHA1 | ebe7d5ec45ba7dccce48521b1926a93127295909 |
| SHA256 | 4602958744bfa7070701f7f56fe19cb1446c908648b2f075d194628093a2a42f |
| SHA512 | fbb1badde4cbd1de822451520b47f470f6302c3cbb471ed1650bb2fbda928f3f3176be2a6f419350592a05bb9d61cc576471b9db6450a46ed55b56e7e5290230 |
C:\Windows\System\hVGPoxi.exe
| MD5 | d1cd782d694a8d035f6df2cc6f83e10f |
| SHA1 | 15e1e2decf18769214514ece837d740cd9ea36a9 |
| SHA256 | d9eb2f38839dd6daf6bb514d640bf4b915f99ff7f57dbfff39f0fe7f41da3659 |
| SHA512 | 74d31140dd103cc3ed30a06122fb2191059459d0c46c7a3fe905a159fae12b6e6bf5dfcac12f185c607b8fdd4287b10452b4705aca9567f3e8293ece0668c22c |
memory/3208-87-0x00007FF750BA0000-0x00007FF750EF1000-memory.dmp
C:\Windows\System\iKTzwDD.exe
| MD5 | c08370082975b5519f98fbbe6831e055 |
| SHA1 | 351342be9024a3bc66961b5c1b789245d44ae976 |
| SHA256 | 8f6955c96b5d6e0037a6784786c37e63d112349a1a486601d6890a45e7de3692 |
| SHA512 | 2d0581ce2294f82e87549deaf1faca66804f79933902778d43a6e9038b943e309af1d37050562dece1f45296239a430f4c844956b36cbb384f018ff27f547db1 |
C:\Windows\System\uMWjaLQ.exe
| MD5 | 3d867a878a6d7f6a3e7531858ae2fbba |
| SHA1 | 831689fa7971dd0c6f8ea3c2b9bd7277204f7a6f |
| SHA256 | 668edf4dd18064a0a0e531ed6ecb05a687a1a66f5b9a6b881462521612e5853c |
| SHA512 | db00799cf0d3f4f6751dc21d959ae68480f9b87f5a1c7475f733cedcfe71a8551f99e5a294ea7426e9645daf41cb635f4a79e7b6df9d9541eba84e230ad7a848 |
memory/2464-76-0x00007FF7AEAD0000-0x00007FF7AEE21000-memory.dmp
memory/4172-75-0x00007FF6FAF00000-0x00007FF6FB251000-memory.dmp
C:\Windows\System\kEUivoc.exe
| MD5 | e30c10f817d419a9e57a4ff0ccc142a8 |
| SHA1 | c163733e3200202d7935c70b35775a80b1eb126b |
| SHA256 | b61737de690ffd57657fae2716cc552ccf0e99e5856a1d30ea2e7578455c52ad |
| SHA512 | d36034ca8f6804f64c9b80466d49046ba94e16d25038732a239d37dc1b8ad093247b1df880e93846f51cc87b98bcd3c82d50c4f77fb667c4330313cbf02cf753 |
C:\Windows\System\hahnrgn.exe
| MD5 | d311ca33e1888aa854e594b22ed8a3be |
| SHA1 | 6b960aed0c17c2ba469029b9a1e464f5cba5b6f7 |
| SHA256 | fec68641ee15f35a0f2e83293f35149fb9a0dbb1b7fdbfc00b3438557fb54033 |
| SHA512 | 7a3deb886bf7bc8432cb221eace016577600e2769cd84c236f3d3260b86a83aff2236f8117feaae6c9efff9c093528f49c1ce3988c38a68764d579e71bacd60c |
memory/2476-49-0x00007FF65C9B0000-0x00007FF65CD01000-memory.dmp
memory/816-44-0x00007FF6DC4C0000-0x00007FF6DC811000-memory.dmp
memory/1916-121-0x00007FF6403D0000-0x00007FF640721000-memory.dmp
memory/816-129-0x00007FF6DC4C0000-0x00007FF6DC811000-memory.dmp
memory/2476-130-0x00007FF65C9B0000-0x00007FF65CD01000-memory.dmp
memory/4608-137-0x00007FF6BF710000-0x00007FF6BFA61000-memory.dmp
memory/4864-132-0x00007FF706430000-0x00007FF706781000-memory.dmp
memory/2744-128-0x00007FF703A10000-0x00007FF703D61000-memory.dmp
memory/2740-139-0x00007FF796AD0000-0x00007FF796E21000-memory.dmp
memory/4720-143-0x00007FF7AC3E0000-0x00007FF7AC731000-memory.dmp
memory/4108-142-0x00007FF7125E0000-0x00007FF712931000-memory.dmp
memory/3204-141-0x00007FF7B0660000-0x00007FF7B09B1000-memory.dmp
memory/4480-140-0x00007FF778A20000-0x00007FF778D71000-memory.dmp
memory/2816-138-0x00007FF7D62B0000-0x00007FF7D6601000-memory.dmp
memory/2932-136-0x00007FF7A5850000-0x00007FF7A5BA1000-memory.dmp
memory/3516-127-0x00007FF673160000-0x00007FF6734B1000-memory.dmp
memory/3872-126-0x00007FF63AB00000-0x00007FF63AE51000-memory.dmp
memory/3396-125-0x00007FF658BC0000-0x00007FF658F11000-memory.dmp
memory/4172-122-0x00007FF6FAF00000-0x00007FF6FB251000-memory.dmp
memory/1788-124-0x00007FF7D4470000-0x00007FF7D47C1000-memory.dmp
memory/4172-144-0x00007FF6FAF00000-0x00007FF6FB251000-memory.dmp
memory/2464-193-0x00007FF7AEAD0000-0x00007FF7AEE21000-memory.dmp
memory/1788-195-0x00007FF7D4470000-0x00007FF7D47C1000-memory.dmp
memory/3396-197-0x00007FF658BC0000-0x00007FF658F11000-memory.dmp
memory/3872-199-0x00007FF63AB00000-0x00007FF63AE51000-memory.dmp
memory/2744-203-0x00007FF703A10000-0x00007FF703D61000-memory.dmp
memory/3516-204-0x00007FF673160000-0x00007FF6734B1000-memory.dmp
memory/4344-218-0x00007FF792F50000-0x00007FF7932A1000-memory.dmp
memory/816-220-0x00007FF6DC4C0000-0x00007FF6DC811000-memory.dmp
memory/2476-222-0x00007FF65C9B0000-0x00007FF65CD01000-memory.dmp
memory/4864-224-0x00007FF706430000-0x00007FF706781000-memory.dmp
memory/2160-230-0x00007FF637840000-0x00007FF637B91000-memory.dmp
memory/1916-228-0x00007FF6403D0000-0x00007FF640721000-memory.dmp
memory/3208-227-0x00007FF750BA0000-0x00007FF750EF1000-memory.dmp
memory/2740-236-0x00007FF796AD0000-0x00007FF796E21000-memory.dmp
memory/2816-238-0x00007FF7D62B0000-0x00007FF7D6601000-memory.dmp
memory/4480-240-0x00007FF778A20000-0x00007FF778D71000-memory.dmp
memory/2932-234-0x00007FF7A5850000-0x00007FF7A5BA1000-memory.dmp
memory/4608-233-0x00007FF6BF710000-0x00007FF6BFA61000-memory.dmp
memory/4720-242-0x00007FF7AC3E0000-0x00007FF7AC731000-memory.dmp
memory/3204-246-0x00007FF7B0660000-0x00007FF7B09B1000-memory.dmp
memory/4108-244-0x00007FF7125E0000-0x00007FF712931000-memory.dmp